Compliance

Data Privacy in IOT

Data Privacy in IOT

One of the most interesting transformations happening in the world is the adoption of IOT – internet of things - Automation (control) and monitoring of all things in our daily use by connecting these activities to the internet. Already existing real life cases include monitoring of automobiles’ health by auto companies, security monitoring and regulating home appliances, patient health monitoring etc.

Business value creation is a function of regulatory compliance

Business value creation is a function of regulatory compliance
Europen Union  and United States of America, both have been front runners in enhancing and enforcing privacy regulations across different industries. The focus has been to ensure that firstly there is sufficient notice to and adequate consent from customers[1] before personal data is processed. Secondly, personal data is processed with adequate security measures, and finally that personal data is disposed off securely once the purpose for which the personal data was acquired, has been fulfilled.
The incentives for regulation compliance has been increasing gradually across globe. With GDPR put forth formally, any organization with EU interest has a regulatory risk of higher of 4% of global revenue and 20 million euros. This takes data regulatory risk straight in to the board room.
 

Conflict between Business and Regulations

Information security regulations and how to access their applicability for organizations?

Information security regulations and how to access their applicability for organizations?

Quite often, it comes to our mind that there are dozens of information security laws & regulations but which one to choose that can certainly satisfy an organization’s need. Most commonly used regulations are Health Insurance Portability and Accountability Act, The Sarbanes Oxley Act, Federal Information Security Management Act of 2002, Family Educational Rights and Privacy Act, The Gramm Leach Bliley Act etc.

Vulnerability Management - Step 0

Vulnerability Management - Step 0

Compliance is critical, necessary and not evil. Every organization wants to meet the compliance requirements and doing risk assessments, vulnerability management are key to achieve critical requirements.

Most of the times the organizations just see Vulnerability Management as another checkbox in pursue of compliance and forget or ignore many different aspects or they don’t have concrete foundations to carry out a well drilled and oiled Vulnerability Management process and the process complicates or fails mid-way.  Our job is to make the process as smooth as possible and sometimes it is better to start at step 0.

GRC Part 1: Informed Decision Making

Governance, Risk and Compliance can be a challenging area for CIOs and CISOs to navigate. With the board of directors and C-suite as key stakeholders, the ability to deliver results through the complex GRC environment is now more critical than ever.
What has your GRC done for you lately?
Let's look at an example of a typical month for the CIO and CISO. Due to publicity of recent data breaches in the industry, you are scheduled to deliver an Information Security update at the next Audit Committee meeting.
1. The annual IT security risk assessment is complete and the results have been presented. The external risk consultants worked with internal teams to identify risks and weaknesses. You have captured the high points for the Audit Committee presentation.
2. You plan to make sure the enterprise risk register is up-to-date with findings, remembering to check in with the SOX and PCI teams. What is the status of PCI 3.0 readiness?

NERC CIP Compliance: North American Electric Reliability Corporation Critical Infrastructure Protection Compliance

For electrical utilities that are keen on maintaining strong cyber security standards across their enterprise and substations, NERC Critical Infrastructure Protection (CIP) Compliance would mean necessary cyber resilience. NERC Reliability Standards define the reliability requirements for planning and operating the North American bulk power system and are developed using a results based approach that focuses on performance, risk management, and entity capabilities.
NERC's jurisdiction includes users, owners, and operators of the bulk power system, which serves more than 334 million people. NERC Standards CIP-001 through CIP-011 provide a Cyber Security Framework for the identification and protection of critical Cyber Assets to support reliable operation of the bulk electric system (BES). Listed below are the NERC CIP domains and objectives for infrastructure protection. Compliance to each of the domain will strengthen the security posture.

How important is ISO 27001 Compliance (ISMS Implementation) to an organization

When we talk about ISO 27001 compliance (ISMS Implementation), the general thought which everyone get is that it is the responsibility of the CISO or CXO of the organization to put things in place. They feel that security team of an organization needs to own up the implementation and are responsible & accountable for getting the organization certified. Though Information security team plays the front ending role of putting perspective in place, one needs to understand that ISMS Implementation is more of a top management driven initiative and it's a top down approach. Unless the management intends to put security in place through policy, procedures, standards and guidelines it cannot be advocated across and driven by the information security team to achieve this compliance.

Subscribe to RSS - Compliance